-
-
Notifications
You must be signed in to change notification settings - Fork 10.1k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
EVP_MD lost 'type' filed if built with no-autoalginit #20221
Comments
Without automatically loading algorithms, the types will be allocated starting from zero instead of being pre-allocated. This is a function of how providers operate -- new algorithms get integer indices starting from zero. I can't imagine that it will cause problems, but I've never tried it. |
Hi, thanks for quick feedback. This problem causes PKCS7_sign() to fail because this function uses EVP_MD_fetch() to get EVP_MD* and then retrieves EVP_MD* based on 'type' filed, I guess this filed should be NID and be fixed?
|
Yeah, that would be a bug. I'm not sure how to support no-autoalginit. The name/NID mappings won't exist without initing the algorithsm and without that no lookup by NID or OID will work. |
FIX: openssl#20221 The value of 'type' will be lost if using EVP_MD_fetch() to retrieve EVP_MD when building with OPENSSL_NO_AUTOALGINIT. Manually add it back here. Signed-off-by: Yi Li <yi1.li@intel.com>
FIX: openssl#20221 The value of 'type' will be lost if using EVP_MD_fetch() to retrieve EVP_MD when building with OPENSSL_NO_AUTOALGINIT. Manually add it back here. Signed-off-by: Yi Li <yi1.li@intel.com>
The earlier answers aren't quite right. Fetched algorithms aren't guaranteed to have an associated OBJ or NID, because provider based implementation aren't designed for it. We do place the NID into the Unfortunately, there are a few subsystems that weren't fully upgraded to deal with a provider world. PKCS#7 and CMS are among those, there's definitely a bit of work to do there. |
@levitte, create an issue for this perhaps? |
There is a collection of issues to raise, and that'll be quite a write-up. I actually thought I already had raised this before we released 3.0.0... but maybe that got lost. |
It would be nice to know the root cause. Thanks, I closed my PR and look forward to your issues. |
Hi @levitte , any update here, do we have new issue about this bug? |
Sorry for the delay, I've had a few other and higher priority things on my table, and they still preoccupy me. But, I do plan on taking on the bigger issue (lack of provider support in some sections of libcrypto) next (that's still a week or so away, mind you) |
Oh i see, thank you! |
This bug impacts PEM_write_bio_PrivateKey as well if the enc field has a non-NULL algorithm defined. PKCS5_pbe2_set_iv_ex(): |
++visibility |
This issue impacts EDK2 http boot (based on openssl TLS/SSL implementation) as well, but I don't have root cause it yet.. |
Hi All,
To reduce the size of the generated binary as possible, I tried to build openssl with 'no-autoalginit' and manually added the required digest.
The strange thing is that the value of 'type' will be lost when using EVP_MD_fetch() to retrieve EVP_MD after EVP_add_digest(). Automatic initialization algorithm (without 'no-autoalginit') does not have this problem.
Any hints about it? More details and configure as below, thanks.
build with 'no-autoalginit' and:
EVP_add_digest (EVP_sha256 ());
TestMD = EVP_MD_fetch (NULL, "sha256", NULL);
without 'no-autoalginit':
Whole configure list:
"no-afalgeng",
"no-aria",
"no-async",
"no-autoalginit",
"no-autoerrinit",
"no-autoload-config",
"no-bf",
"no-blake2",
"no-camellia",
"no-capieng",
"no-cast",
"no-chacha",
"no-cmac",
"no-cmp",
"no-cms",
"no-ct",
"no-deprecated",
"no-des",
"no-dgram",
"no-dsa",
"no-dso",
"no-dynamic-engine",
"no-ec2m",
"no-engine",
"no-err",
"no-filenames",
"no-gost",
"no-hw",
"no-idea",
"no-makedepend",
"no-module",
"no-md4",
"no-mdc2",
"no-pic",
"no-ocb",
"no-ocsp",
"no-padlockeng",
"no-poly1305",
"no-posix-io",
"no-rc2",
"no-rc4",
"no-rc5",
"no-rfc3779",
"no-rmd160",
"no-scrypt",
"no-seed",
"no-shared",
"no-siphash",
"no-siv",
"no-sm4",
"no-sock",
"no-srp",
"no-srtp",
"no-sse2",
"no-ssl",
"no-ssl3-method",
"no-ssl-trace",
"no-static-engine",
"no-stdio",
"no-threads",
"no-ts",
"no-ui",
"no-whirlpool",
"disable-legacy",
# OpenSSL1_1_1b doesn't support default rand-seed-os for UEFI
# UEFI only support --with-rand-seed=none
"--with-rand-seed=none",
"--api=1.1.1"
The text was updated successfully, but these errors were encountered: